Nov 18, 2014
Silvio Cesare <[email protected]>
Deakin University
PhD student at Deakin UniversityMalware detectionSoftware theft detectionAutomated vulnerability discovery
Speaker at Ruxcon, Blackhat, CSW and academic conferences.
This talk contains some Linux work done at university.
C Bugs
Environment Variable Fuzzing Bugs
Inter-Distribution Bugs
Embedded Packages Bugs
void *memset(void *DST, int C, size_t length)
Assign buffer contents to a specific value.
Zeroing a buffer is common.
C and length are sometimes confused.
memset(x,y,0) is almost always a bug.
Not very exploitable (except sensitive data).
Scanned Debian, Fedora, and Owl.
27+ bug reports for Debian.
2 bugs in Owl.
As a result, Debian now incorporating a memset check in their automated testing system.
/* Initialize to 0 so that test_parse_c gives reliable results */ memset (&Uni2, sizeof (Uni2), 0); memset (&Uni3, sizeof (Uni2), 0);
/*only the paranoids survive */memset( list, sizeof( HListNode ), 0 );
gnat-gps package in Debian
bibindex package in Debian
argv[0] is the program name passed by exec* to execute a command in Unix.
You can pass a NULL argv[0].
Crashes programs that (mis)use argv[0].
Unlikely to be exploitable.
A non null argv[0] should be enforced in the kernel.
In Debian using 2737 programs.
741 crashes.
27% crash.
Format String Bugsprintf\(getenv|printf\(argv1 format string bug in Debian (debug).
getsUse of this function is a bug.1 in Debian debug binutils h8300-hms
target.
argv buffer overflowsstrcpy\(.*argv|sprintf\(.*argv|strcat\(.*argvRestricted to SUID/SGID programs.Vulnerability in Debian xdigger SGID games.
getenv buffer overflowsSo many overflows in non privileged
programs.A future project is to submit bug reports for
these.
My PhD work use static analysis on binaries to detect simple bugs.
Need to know which programs to audit?
find / -type f \( -perm +2000 –o –perm +4000 \)
Better -> look at a package repository.
Fedora is aiming to eliminate SUID.
Debian298 SUID/SGID programs.
Fedora368 SUID/SGID programs
Debian now using my list on the security tracker.
Fedora using my list on the wiki.
Long env variables can trigger buffer overflows.
Attacker targets SUID/SGID programs.
Local attack – set hostile env variable, then run privileged program.
Public fuzzing tools for 10+ years, eg sharefuzz.
Fuzzed most SUID/SGID programs in Debian.
A number of assertion failures.
3 segmentation faults.
2 segv in SGID games programs.
1 SUID root segvzhcon package (bug in libggi).
If package FOO in Fedora vuln,
then package FOO in Debian probably vuln.
If no advisory, then it might be untracked.
Performed one time scan correlating Fedora and Debian advisories.
1 missing vulnerability in Debiangnucash package.
Software often embeds libraries or other code.
Classic example zlib compression library.
If zlib is vuln, update system library..
In embedded case, update needs to be done manually and package rebuilt.
Many libraries have version strings that identify them.
Manual approach is to grep for vulnerable embedded package signatures.
Bugs found scanning for libpng, bzip2, libtiff etc signatures in Debian and Fedora.
My PhD work replaces and automates this process.
16 vulnerabilities in Debian
15 vulnerabilities in Fedora
Eg, Fedora sepostgresql using a vulnerable fork of postgresql.
Fedora to use my results on their wiki.
For simple bug classes, given enough data you will find vulnerabilities.
Linux vendors have patched these or are patching.
http://github.com/silviocesare/Automated-Audits
Thanks for watching!